Activation
PF is enabled by default.
It can be disabled at boot with the
rcctl(8) tool:
# rcctl disable pf
Reboot the system to have it take effect.
PF can also be manually activated and deactivated by using the
pfctl(8) program:
# pfctl -e
# pfctl -d
These would enable and disable PF, respectively.
Enabling it doesn't actually load a ruleset, however.
The ruleset must be loaded separately, either before or after PF is enabled.
Configuration
PF reads its configuration rules from
pf.conf(5) at boot time, as
loaded by the rc(8) scripts.
Note that while pf.conf(5)
is the default and is loaded by the system rc scripts, it is just a text file
loaded and interpreted by pfctl(8)
and inserted into pf(4).
For some applications, other rulesets may be loaded from other files after boot.
The pf.conf file has multiple parts:
- Macros: user-defined variables that
can hold IP addresses, interface names, etc.
- Tables: a structure used to hold lists
of IP addresses
- Options: various options to control
how PF works.
- Filter Rules: allows the selective
filtering or blocking of packets as they pass through any of the interfaces
Blank lines are ignored, and lines beginning with # are treated
as comments.
Control
After boot, PF operation can be managed using the
pfctl(8) program.
Some example commands are:
# pfctl -f /etc/pf.conf # Load the pf.conf file
# pfctl -nf /etc/pf.conf # Parse the file, but don't load it
# pfctl -sr # Show the current ruleset
# pfctl -ss # Show the current state table
# pfctl -si # Show filter stats and counters
# pfctl -sa # Show everything it can show
For a complete list of commands, please see the
man page.